ipv6: Check ip6_find_1stfragopt() return value properly.

Do not use unsigned variables to see if it returns a negative error or not. Fixes: 2423496af35d ("ipv6: Prevent overrun when parsing v6 header options") Reported-by: Julia Lawall <julia.lawall@lip6.fr> Signed-off-by: David S. Miller <davem@davemloft.net>
author: David S. Miller <davem@davemloft.net> 2017-05-17 22:54:11 -0400
committer: David S. Miller <davem@davemloft.net> 2017-05-17 22:54:11 -0400
commit: 7dd7eb9513bd02184d45f000ab69d78cb1fa1531 (patch)
tree: 069fed66bdc18c6043c981748bb28057fbc1bcf2 /net
parent: 579f1d926c66cc0bd3bd87b1fe2e091084b07430 (diff)
3 files changed, 12 insertions, 12 deletions
diff --git a/net/ipv6/ip6_offload.c b/net/ipv6/ip6_offload.c
index eab36abc9f22..280268f1dd7b 100644
--- a/net/ipv6/ip6_offload.c
+++ b/net/ipv6/ip6_offload.c
@@ -63,7 +63,6 @@ static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb,
        const struct net_offload *ops;
        int proto;
        struct frag_hdr *fptr;
-        unsigned int unfrag_ip6hlen;
        unsigned int payload_len;
        u8 *prevhdr;
        int offset = 0;
@@ -116,10 +115,10 @@ static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb,
                skb->network_header = (u8 *)ipv6h - skb->head;
                if (udpfrag) {
-                        unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
+                        int err = ip6_find_1stfragopt(skb, &prevhdr);
-                        if (unfrag_ip6hlen < 0)
+                        if (err < 0)
-                                return ERR_PTR(unfrag_ip6hlen);
+                                return ERR_PTR(err);
-                        fptr = (struct frag_hdr *)((u8 *)ipv6h + unfrag_ip6hlen);
+                        fptr = (struct frag_hdr *)((u8 *)ipv6h + err);
                        fptr->frag_off = htons(offset);
                        if (skb->next)
                                fptr->frag_off |= htons(IP6_MF);
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 01deecda2f84..d4a31becbd25 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -597,11 +597,10 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb,
        int ptr, offset = 0, err = 0;
        u8 *prevhdr, nexthdr = 0;
-        hlen = ip6_find_1stfragopt(skb, &prevhdr);
+        err = ip6_find_1stfragopt(skb, &prevhdr);
-        if (hlen < 0) {
+        if (err < 0)
-                err = hlen;
                goto fail;
-        }
+        hlen = err;
        nexthdr = *prevhdr;
        mtu = ip6_skb_dst_mtu(skb);
diff --git a/net/ipv6/udp_offload.c b/net/ipv6/udp_offload.c
index b348cff47395..a2267f80febb 100644
--- a/net/ipv6/udp_offload.c
+++ b/net/ipv6/udp_offload.c
@@ -29,6 +29,7 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb,
        u8 frag_hdr_sz = sizeof(struct frag_hdr);
        __wsum csum;
        int tnl_hlen;
+        int err;
        mss = skb_shinfo(skb)->gso_size;
        if (unlikely(skb->len <= mss))
@@ -90,9 +91,10 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb,
                /* Find the unfragmentable header and shift it left by frag_hdr_sz
                 * bytes to insert fragment header.
                 */
-                unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
+                err = ip6_find_1stfragopt(skb, &prevhdr);
-                if (unfrag_ip6hlen < 0)
+                if (err < 0)
-                        return ERR_PTR(unfrag_ip6hlen);
+                        return ERR_PTR(err);
+                unfrag_ip6hlen = err;
                nexthdr = *prevhdr;
                *prevhdr = NEXTHDR_FRAGMENT;
                unfrag_len = (skb_network_header(skb) - skb_mac_header(skb)) +
author	David S. Miller <davem@davemloft.net>	2017-05-17 22:54:11 -0400
committer	David S. Miller <davem@davemloft.net>	2017-05-17 22:54:11 -0400
commit	7dd7eb9513bd02184d45f000ab69d78cb1fa1531 (patch)
tree	069fed66bdc18c6043c981748bb28057fbc1bcf2 /net
parent	579f1d926c66cc0bd3bd87b1fe2e091084b07430 (diff)